While there were expected to be some 2018 HIPAA updates, the wheels of change move slowly. OCR has been considering HIPAA updates in 2018 although it is likely to take until the middle of 2019 before any proposed HIPAA updates in 2018 are signed into law. Further, the Trump Administration’s policy of two regulations out for every new one introduced means any new HIPAA regulations in 2019 are likely to be limited. First, there will need to be some easing of existing HIPAA requirements.

HIPAA updates in 2018 that were under consideration were changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS was considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. Other potential changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver better care at a lower cost.

These are the most likely areas for HIPAA 2019 changes: Aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members, and those that can help with the transition to value-based healthcare.

How are New HIPAA Regulations Introduced?

The process of making HIPAA updates is slow, as the lack of HIPAA changes in 2018. It has now been 5 years since there was a major update to HIPAA Rules and many believe changes are now long overdue. Before any regulations are changed, the Department of Health and Human Services will usually seek feedback on aspects of HIPAA regulations which are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law.

After considering the comments and feedback, the HHS then submits a notice of proposed rulemaking followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule change occurs. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and enforceable.

New HIPAA Regulations in 2019

OCR issued a request for information in December 2018 asking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.

The period for comments closed on February 11, 2019 and OCR is now considering the responses received. A notice of proposed rulemaking will follow after careful consideration of all comments and feedback, although no timescale has been provided on when the NPRM will be issued. It is reasonable to assume however, that there will be some at least some new HIPAA regulations in 2019.

OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.

Under consideration are changes to HIPAA restrictions on disclosures of PHI that require authorizations from patients. Those requirements may be loosened as they are considered by many to hamper the transformation to value-based healthcare.

OCR is considering whether the Privacy Rule should be changed to make the sharing of patient data with other providers mandatory rather than simply allowing data sharing. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have voiced their concern about this aspect of the proposed new HIPAA regulations and are against the change. Both organizations are also against any shortening of the timescale for responding to patient requests for copies of their medical records.

OCR is also considering HIPAA changes in 2019 that will help with the fight against the current opioid crisis in the United States. HHS Deputy Secretary Eric Hargan has stated that there have been some complaints about aspects of the HIPAA Privacy Rule that are stopping patients and their families from getting the help they need. There is some debate about whether new HIPAA regulations or changes to the HIPAA Privacy Rule is the right way forward or whether further guidance from OCR would be a better solution.

One likely area where HIPAA will be updated is the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices. That requirement is expected to be dropped in the next round of HIPAA changes.

What is certain is new HIPAA regulations are around the corner, but whether there will be any 2019 HIPAA changes remains to be seen. It may take until 2020 for any changes to HIPAA regulations to be rolled out.

Changes to HIPAA Enforcement in 2019

Halfway through 2018, OCR had only agreed three settlements with HIPAA covered entities to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of HIPAA Rules. However, OCR picked up pace in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2018.

2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.

At HIMSS 2019, Roger Severino gave no indications that HIPAA enforcement in 2019 would be eased. Fines and settlements are likely to continue at the same level or even increase.

Severino did provide an update on the specific areas of HIPAA compliance that the OCR would be focused on in 2019. OCR is planning to ramp up enforcement of patient access rights. The details have yet to be ironed out, but denying patients access to their medical records, failures to provide copies of medical records in a reasonable time frame, and overcharging are all likely to be scrutinized and could result in financial penalties.

OCR will also be continuing to focus on particularly egregious cases of noncompliance – HIPAA-covered entities that have disregarded the duty of care to patients with respect to safeguarding their protected health information. OCR will come down heavy on entities that have a culture of noncompliance and when little to no effort has been put into complying with the HIPAA Rules.

The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards typically attract financial penalties. OCR is also concerned about the volume of email data breaches. Phishing is a major problem area in healthcare and failures to address email security risks are likely to attract OCR’s attention in 2019.

Telemedicine, which enables health professionals to provide treatment to patients remotely, is especially useful in rural areas, where people are distanced from healthcare facilities. It can also play a considerable role during natural disasters when professionals cannot reach affected areas or must operate outside of traditional medical settings.

But because of the nature of the platform — and the technology used — telemedicine is susceptible to outside attacks, particularly cyberattacks. Communication and digital exchanges are often done via the open internet. A patient will have a live video chat with a health professional via a mobile app, for instance. That feed and any data from the exchange is vulnerable to snooping or outright theft, especially if one of the parties is using an unsecured network connection.

Cyberattacks Are More Dangerous in Health Fields

There’s no reason to downplay general theft. The risk of hackers scooping up personal data is always a concern, but when attacks involve highly sensitive health details, the risks are much higher. Not only could the data be used to harm and damage others, but its misuse can also harm the professionals and, by proxy, the facility they work for. HIPAA law dictates that all communications and data exchanged between doctors and patients be secure — if not, healthcare providers face massive fines and penalties.

What makes the whole thing even more alarming is that, in today’s landscape, it’s not a matter of “if” you will experience a cyber attack or data breach, but “when.”

Norton Security, which claims "protection against viruses, malware and more," estimates that by 2023, cybercriminals will successfully steal 33 billion records per year.

To provide an even better perspective, consider this: By 2018, nearly 70 percent of businesses had experienced some form of cybersecurity attack, with over half experiencing a data breach. Out of all small businesses that suffer attacks, 60 percent close within six months of an event.

It’s a very costly, very damaging problem from which the healthcare and telemedicine industry is not exempt.

How to Prevent Attacks and Mitigate Damage When They Do Happen

Preventative measures are important, and understanding how to deal with an attack or breach can be instrumental in lowering risks. Assuming that a breach can and will happen allows you to better lock down your systems and data. For example, putting stringent authentication and user access measures in place help ensure that only the right people can interact with certain types of data. This means if a lesser user’s account were to be hacked, the attacker wouldn’t have access to sensitive information.

The first recommendation is that you follow ISO 27001 standards and develop a process of internal audits to measure compliance and performance. This set of management standards deals specifically with information security and proactive protection measures.

Here are some ways to improve general security and mitigate the risks of a breach:

Hire a third-party data security provider or a consultant to understand what’s necessary to protect your network, systems and hardware

Establish user access protocols to prevent unauthorized users from accessing high-level information; in other words, keep people in their lanes

Use strong authentication measures to identify users and require the use of strong passwords

Educate personnel on the importance of security and ensure they understand what role they play

Use data encryption for all information sharing and open streams so that any exchanged information is locked behind a security protocol

Develop the entire platform, app or tool with security in mind as a foundational element

Create a response plan for cyberattacks: how you lock down affected systems and networks, prevent future data loss and tampering, and regain control

After a breach, always inform the necessary parties involved, including customers and patients, as well as regulatory bodies

While many of the solutions discussed here are valuable, many tactics can help telemedicine practitioners prevent and protect against cyberattacks. The most obvious involves awareness and preparedness, which means educating yourself and your personnel on modern security.

This is not something that can be continually brushed aside or avoided. Security must always be a “now” practice that is honored and put into place as soon as possible. It’s especially true of for telemedicine, which involves the facilitation and exchange of highly sensitive information across open channels.

CTI stands for Computer Telephony Integration and it refers to any type of technology that allows computer and phone central functionalities to be interconnected resulting in an added value service portfolio.

In the beginning of the telephony era, you were not given the chance of dialing; you would simply “signal” a call center and a human operator would ask you what you required. Then once you stated you wanted to call someone, that human operator would establish a point-to-point connection between your terminal equipment (phone) and the destinations.

The funny thing is that nowadays, when you ask your smartphone’s personal assistant to call someone, the process as perceived by us humans is, in fact, the same, and we like it better than having to dial the number or look for the contact.

Phone Centrals have become Computers instead of the long-gone PBX backbones, nevertheless the integration of such computers (which perform the role of phone centers) with terminal equipment’s which are in fact computers (like smartphones) and computer software like CRM and ERP Servers or Cloud-based App Services has made the CTI concept more relevant by the day.

Telemedicine is becoming the new norm for giving and receiving care. Today’s patients are more connected than ever before and 64 percent of Americans report they would seek care via telemedicine, according to an American Well telehealth survey.

In its early stages, telemedicine seemed like another on-demand solution taking patients away from urgent care centers (UCCs). Today, urgent cares are realizing the benefits of integrating telemedicine into their operations, such as better flexibility, accessibility and in some cases, better patient satisfaction and outcomes.

Fortunately, telemedicine also has financial advantages. Telemedicine empowers UCCs to provide a convenient and cost-effective service for patients, while at the same time improving revenue. Have you considered telemedicine for your urgent care? Read on to learn more about the financial benefits of telemedicine:

Net-Benefits of Telemedicine

1. Increase the number of patients you see each day.

Telemedicine helps you work more efficiently and see more patients in less time. A virtual visit takes less time than an in-person visit, allowing your urgent care to increase the number of patients seen in a day, without having to extend office hours. For example, a clinic with three providers that completes two virtual visits per day, at an average reimbursement of $50, will earn $109,500 in additional revenue in just one year.

For UCCs who do feel the need to provide extended office hours, telemedicine is a feasible and cost-effective solution when you have a cloud-based electronic health record (EHR) with integrated telemedicine capabilities. Consider virtual extended hours, where a patient can be seen via a virtual visit conducted by a remote on-call physician. This idea eliminates in-person visits during extended hours, which keeps costs low, drives revenue for your clinic and at the same time provides better accessibility for patients who may be in need during those off-hours

.

2. Better allocate your resources.

Today, consumers have more options than ever before when it comes to their care. Long wait times can result in low patient satisfaction and fewer patients. If your clinic is experiencing long wait times, consider how you can incorporate telemedicine for services that don’t require an in-person visit, like for the flu or an emergency medication refill. Providing virtual visits for these scenarios is a much more efficient and cost-effective way for your patients and your clinic.

Telemedicine can also help multi-location UCCs balance their patient volumes and wait times, without having to spend money on additional resources. The Journal of Urgent Care Medicine cited an example of an urgent care that decreased patient wait times and increased patient satisfaction by equipping facilities with telemedicine capabilities in two locations. In other words, UCCs can leverage providers in lower-traffic locations to conduct virtual visits immediately and remotely for patients who are waiting to be seen at the busier location.

3. Reach more patients.

In addition to load balancing, telemedicine can easily enable UCCs to reach a larger pool of patients to generate more revenue. Urgent cares who use telemedicine can expand their services to reach patients across one state or multiple, instead of being limited to patients who only live within a 3-5 mile radius.

4. Achieve competitive advantage.

Research from Accenture indicates patients want a better healthcare experience and they are leveraging technology, such as telemedicine, to do so. However, the same research also suggests patient demands for virtual care options are outpacing what’s currently available. This provides a significant opportunity for urgent cares. UCCs were the catalysts for convenient, on-demand healthcare; those who continue to evolve with their patients will successfully differentiate themselves in today’s competitive healthcare market.

To continue to lead in the on-demand market, urgent care centers will need to adopt technology, like telemedicine to meet patient expectations. The good news is telemedicine is a smart investment that can result in improved efficiency, patient care, cost-savings, revenue and more. Incorporating telemedicine into your UCC isn’t difficult, and there are affordable, telemedicine solutions on the market today. UCCs that incorporate telemedicine, have a lot to gain and very little to lose.

With VoIP (voice over internet protocol), companies are now able to access cheaper, more accessible phone systems all over the world. While VoIP phones have become common, particularly in North America and Europe, there is still a broad growth trend in Asian, African, and Latin American markets. Asian Pacific Markets expect an estimated 14% growth over the next five years, a significant increase considering the dense technological saturation in the area, caused primarily by escalating high-speed communications networks.

In markets where there isn’t such an extreme jump in internet infrastructure, there are also significant gains in the adoption of IP phone technology. In Africa, VoIP growth is stunning (80% in South Africa, for example). Because governments own traditional phone infrastructure in Africa, and also because of the challenges expanding utilities to less urban or more isolated areas, mobile VoIP has been replacing traditional phone systems for emerging and growing businesses.

Given contemporary global markets and the push toward global expansion, even companies that have long-established traditional phone infrastructure are adopting VoIP systems for their call centers and sales teams. Global calls are more than just person-to-person voice; they now include video, conferencing, and text, whether in Asia, Europe, or North America.

With VoIP phone systems, businesses can integrate their phones to their computers and smoothly connect all aspects of sales and service. SMEs and larger enterprises can all benefit from merging data and communications functions; with IP phones, users gain key communication features, all the while letting their VoIP service providers handle IT, updates, and data hosting. Businesses, regardless of size, can benefit from efficiently merging voice and data functions and gaining innovative communication features, while their VoIP service provider takes care of the technology.

It follows by implication that it’s important for businesses to find the best VoIP phone system and CRM for their needs. Some companies need a comprehensive system that works seamlessly across a host of different silos, whereas other businesses need customizable specifics for one element (IT, for example). Businesses must understand their budgets, dominant departments, as well as the need for scalability, and make decisions accordingly.

There are many misconceptions when it comes to HIPAA and security controls for covered entities. While security is related to technical measures such as encryption, firewalls, and security risk assessments, it also addresses physical and administrative safeguards that must be in place to protect patient information. In order to comply with HIPAA regulation, healthcare organizations must address each standard and safeguard outlined in the HIPAA Security Rule.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has now released new information further emphasizing the importance of physical safeguards for healthcare organizations across the country. HIPAA not only requires technical controls to protect the confidentiality, integrity, and availability of protected health information (PHI) but also proper physical security controls.

Physical safeguards are generally seen as the simplest and cheapest forms of protecting PHI, yet many organizations tend to overlook this important element of security. There are even some physical security controls that cost nothing- such as simply locking up portable electronic devices when they are not in use (laptops, portable storage devices, and pen drives).

Although this may seem like a very basic form of security, it is one of the most effective ways of preventing theft. To illustrate the importance of HIPAA physical security safeguards, OCR focuses on a 2015 HIPAA settlement with Lahey Hospital and Medical Center that affected 599 patients. This breach and subsequent HIPAA fine were triggered by the theft of an unencrypted laptop from the Tufts Medical School-affiliated teaching hospital.

The laptop was stolen from an unlocked treatment room off an inner corridor of the radiology department and contained ePHI. Lahey Hospital was fined $850,000 for failing to implement physical controls–a high price to pay for something that could have been avoided if some simple physical security safeguards were in place.

Prior to the Lahey Hospital settlement, QCA Health Plan paid $250,000 to OCR in 2014 for potential HIPAA violations. QCA Health Plan neglected to implement physical safeguards for all workstations to restrict access to ePHI to authorized users only. In this case, an unencrypted laptop was stolen from an employee’s vehicle.

Massachusetts Eye and Ear Infirmary (MEEI) also settled a HIPAA violation with OCR in 2012 for $1.5 million. Again, this incident was related to the theft of an unencrypted laptop, resulting in the exposure of patients’ ePHI.

In 2016, Feinstein Institute for Medical Research settled potential HIPAA violations with OCR for $3.9 million. Feinstein Institute failed to physically secure a laptop that was stolen from an employee’s vehicle containing the ePHI of 13,000 patients.

In July 2016, the University of Mississippi Medical Center was fined $2,750,000 for a failure to implement HIPAA physical security safeguards. An unencrypted laptop that contained ePHI of approximately 10,000 patients was stolen from its Medical Intensive Care Unit.

Preventing HIPAA Physical Security Breaches

It is up to covered entities and their business associates to decide on the most appropriate physical security safeguards that will protect their patients’ ePHI. One way organizations can implement these physical security controls is by adopting an effective compliance program.

Compliance Group gives health care organizations confidence in their HIPAA compliance with The Guard. The Guard is our HIPAA compliance web-app that covers every element of HIPAA compliance.

Our Compliance Coaches will guide users through every step of their compliance program with the help of our HIPAA compliance web-app. The Guard is built to address the full extent of HIPAA regulation, including everything needed to implement an effective HIPAA compliance program that will help safeguard your practice from violations and fines.

With The Guard, health care professionals will not only address their physical security safeguards but the technical and administrative safeguards as well, along with the other HIPAA requirements.

Large organizations have always focused on managing risk, but the technological breakthroughs that have enhanced our world in countless ways have also transformed how leading executives engage in enterprise risk management (ERM). The pervasive and ever-expanding threat of cybercrime means that comprehensive strategies for cybersecurity are now absolutely essential for all organizations.

After all, a report by Cybersecurity Ventures estimates that cybercrime across the globe will cost more than $6 trillion annually by 2021.

The sheer magnitude and pervasiveness of the crisis represent a cybersecurity call to arms, and seemingly no one is immune. By now, the list of data breach victims reads like a who’s who of major corporations, governmental agencies, retailers, restaurant chains, universities, social media sites and more:

The Department of Homeland Security, IRS, FBI, NSA, DoD

Macy’s, Saks Fifth Avenue, Lord & Taylor, Bloomingdale’s

Facebook, Reddit, Yahoo, eBay, LinkedIn

Panera, Arby’s, Whole Foods, Wendy’s

Target, CVS, Home Depot, Best Buy

Delta, British Airways, Orbitz

Equifax, Citigroup, J.P. Morgan Chase

The Democratic National Committee

Adidas, Columbia Sportswear, Under Armour

UC Berkeley, Penn State, Johns Hopkins

If you need another reason to drop everything and prioritize cybersecurity risk management in your organization’s overall ERM strategies and systems, consider the recent NotPetya malware attack. Described by Wired as “The Most Devastating Cyberattack in History,” it disrupted global shipping operations for several weeks and caused more than $10 billion in total damages while temporarily crippling such multinational companies as shipping giant Maersk and FedEx’s European subsidiary, TNT Express. All because hackers were able to infiltrate a networked but unsecured server in the Ukraine that was running software that made it more vulnerable to attack.

Despite these and countless other costly incidents and attacks, many organizations have not yet fully incorporated cybersecurity risks into their overall enterprise risk management frameworks.

3 Chief Obstacles to Cyber Security and ERM Preparedness

The ever-expanding list of high-profile attacks and victims could be seen as evidence that, in many instances, “the adversaries are winning,” according to Richard Spires, a former chief information officer at both the IRS and the Department of Homeland Security. Or at least that there is much work to be done to combat the ongoing threat.

In a piece titled “The Enterprise Risk Management Approach to Cybersecurity,” Spires poses the question: “In an era of ever more sophisticated cybersecurity tools, how is it that we are actually backsliding as a community?” And he offers three key answers:

Complexity: IT (and cybersecurity) systems are by their nature extremely complex and in many cases far-flung, so creating airtight security is incredibly challenging.

Highly Skilled Adversaries: The hackers’ tactics and methods continue to grow more sophisticated. Plus, their risk is low because they are hard to catch. They are smart and, with billions of dollars on the line, more highly motivated than ever.

Lack of IT professionals: Cisco reports that 1 million cybersecurity jobs are currently unfilled on a worldwide basis and that “most large organizations struggle to find, develop and then retain such talent.” The shortage of qualified cybersecurity professionals with the right skills, knowledge, and experience is an ongoing “crisis,” according to Forbes.

One of the leading efforts to develop protocols that organizations can use to safeguard themselves is sponsored by the U.S. Government — the National Institute of Standards and Technology’s Cybersecurity Framework.

According to Gartner, more than 50 percent of U.S.-based organizations will use the NIST Cybersecurity Framework as a central component of their enterprise risk management strategy by 2020, up from 30 percent in 2015. This voluntary framework consists of “standards, guidelines, and best practices to manage cybersecurity-related risk,” according to NIST, which reports that version 1.1 of the Cybersecurity Framework has been downloaded over 205,000 times since April 2018.

Also, the Center for Internet Security (CIS) has produced “a prioritized set of (20) actions to defend against pervasive cyber threats.” CIS says its protocols are intended to provide “a roadmap for conducting rigorous and regular cybersecurity enterprise risk management processes that will significantly lower an organization’s risk of catastrophic loss.”

CIS, which claims its best practices could have prevented attacks like the data breach that hit the consumer credit reporting agency Equifax, also offers guidelines for the seemingly “overwhelming” challenge of how to build a cybersecurity compliance plan.

5 Helpful Tips for Cyber Security and Enterprise Risk Management

OK, how about some actionable tips for organizations looking to beef up their cybersecurity defenses and risk management profile? Chris Yule, a senior principal consultant for SecureWorks, breaks it down in laymen’s terms in a quick video. Yule’s five tips include:

Cultivate support of senior management — It is essential for organizations to have strong support for cybersecurity risk management on the senior management team and to tie it to their overall business strategy.

Limit your attack surface — Often referred to as “hardening” your potential targets and vulnerabilities, this refers to coordinating with IT in reducing your exposure and “locking things down.”

Increasing visibility/awareness — In addition to building up defenses to reduce risk, organizations must also “tear things down.” This means working to better understand the potential spectrum of risk by conducting comprehensive internal vulnerability scanning, penetration testing and “monitoring your infrastructure for the bad stuff.”

Build a culture of security among employees — Employees must be committed to cybersecurity and clearly understand their specific responsibilities. “Make sure that everybody’s trained, everybody knows what their role is within the organization to keep things secure,” said Yule.

Prepare an incident response plan — “You need to be prepared for when things go wrong,” warned Yule. Notice that he says when and not if. “Everybody will get breached at some point regardless of what you do,” said Yule, so it is essential that everybody knows “what the plan is to contain and eradicate that threat when it happens.”

Cloud solutions are quickly becoming the new norm for the way businesses operate today. Many companies are moving from legacy software systems to online “hosted” alternatives, such as SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) or IaaS (Infrastructure-as-a-Service). The benefits of cloud-based solutions over desktop software are wide-ranging, affecting everything from productivity to data security. Healthcare organizations also need to take the appropriate precautions to ensure that they have a HIPAA compliance cloud.

It makes sense to see why so many organizations are adopting cloud-based solutions–improved efficiency, flexibility, cost reduction, mobility, as well as around the clock support are all driving forces behind the growth of cloud services.

Yet, HIPAA compliance cloud services also raise some concerns in regards to security and compliance, which go hand-in-hand to help organizations keep their sensitive healthcare data safe. For businesses operating in the healthcare industry, which accounts for approximately one-fifth of the US economy, these concerns escalate due to HIPAA regulatory requirements that mandate the privacy and security of patients’ protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, Social Security numbers, phone numbers, medical records, and full facial photos, to name a few.

HIPAA applies to covered entities, such as providers and insurance plans, as well as business associates who perform certain functions for, or on behalf of another health care organization that involves receiving, maintaining, or transmitting PHI.

For example, a cloud service provider (CSP) who are involved in handling PHI for a covered entity whether it is data storage or a complete software solution such as a hosted electronic medical record system, are still considered a business associate and need to implement a HIPAA compliance cloud.

HIPAA Compliance in the Cloud

In a nutshell, both covered entities and business associates need a HIPAA compliance cloud that allows for the creation of an effective compliance program. The Department of Health and Human Services (HHS) released detailed, five-step guidance on cloud computing that parties must adhere to in order to maintain HIPAA compliant relationships. This HHS guidance on HIPAA compliance cloud services includes:

Execute a Business Associate Agreement– A business associate agreement outlines what business associates can and cannot do with the PHI they access, how they will protect that PHI, how they will prevent PHI disclosure, and the appropriate method for reporting a breach of PHI if one would occur. It also defines liability in the event of a data breach.

Conduct a HIPAA Security Risk Assessment– The covered entity or business associate that works with a cloud service provider must document the cloud computing environment and security solutions put in place by the cloud service provider as part of their risk management policies.

Abide by the HIPAA Privacy Rule– A covered entity must enforce proper safeguards in order to keep PHI safe and information can only be disclosed to a business associate after a business associate agreement has been executed.

Implement HIPAA Security Safeguards– A business associate must comply with all three key security safeguards outlined in the HIPAA Security Rule: Physical, Technical and Administrative.

Adhere to the HIPAA Breach Notification Rule- In the event of a data breach, covered entities and business associates are required to document and investigate the incident. All breaches must be reported to HHS OCR. All affected parties must be notified as well.

The only exception to the Breach Notification Rule is if the data was properly encrypted. If, for example, a properly encrypted device containing PHI goes missing, then there is a low probability that the data will be accessible by an unauthorized user. In this case, a breach will not have to be reported under the provisions of the Breach Notification Rule.

However, it is crucial that all HIPAA covered entities and business associates read the standards outlined in the regulation to determine the proper level of HIPAA encryption for different modes of data storage and transmission.

If a covered entity does not execute a Business Associate Agreement with a third party vendor with whom they share PHI, both organizations are leaving themselves exposed to a significant risk of HIPAA violations.

A HIPAA Compliant Cloud Will Save You Money

Data breaches are very costly–not only due to monetary penalties but also because of the long-lasting reputational damage a breach can have on an organization.

HIPAA breach fines can range anywhere from $100 to $50,000 per violation or record, with up to a maximum of $1.5 million per violation. When multiple violations or a large scale data breach occurs, these fines can compound and lead to millions of dollars in HIPAA fines. As if that isn’t bad enough, breaches are publicly listed on the “Wall of Shame,” maintained and enforced by HHS OCR. This list shows all HIPAA breaches affecting 500 or more individuals. Even worse, some HIPAA violations can lead to criminal charges, carrying the potential for jail time.

In order to avoid violations and fines, healthcare providers and business associates must comply with HIPAA regulations which means protecting the security and privacy of their patients.

Compliance Group Can Help!

Compliance Group helps healthcare professionals and business associates effectively address their HIPAA compliance with our cloud-based app, The Guard. The Guard allows users to achieve, illustrate, and maintain compliance, addressing everything that the law requires.

Users are paired with one of our expert Compliance Coaches. They will guide you through every step of the process and answer any questions you may have along the way. Compliance Group simplifies compliance so you can get back to confidently running your business.

And in the event of a data breach or HIPAA audit, our Audit Response Team works with users through the entire documentation and reporting process. At Compliance Group, we go above and beyond to help demonstrate your good faith effort toward HIPAA compliance.

This time, I had the privilege of speaking with defensive security expert Liz Bell. We talked about the 90s internet, blue teaming, sexism and transphobia in tech as well as what pen testing can teach you about defensive security.

Kim Crawley: Please tell me a bit about yourself and what you do.

Liz Bell: I work for a cybersecurity defense company that provides network monitoring and response tools for customers in the finance, government, and energy sectors. I work on the internal monitoring team, which means I help keep our own networks safe. Before that, I worked in penetration testing punctuated with some time in academia doing research on applying machine learning techniques to attacking ciphers, and before that, I was a software engineer. I’ve been interested in security since I was little, though. Being lucky enough to have grown up with the web, I just caught the tail end of the BBS era, and so I got to see security start to become something people actually took seriously. Being curious, my general instinct was to find ways to circumvent limitations. Now I get to spot people trying to do those same things.

KC: It sounds like you’ve been online since the 90s. I’ve been online since 1994. Is there anything about the 90s internet that you miss these days?

LB: There are a few things that I’m kind of nostalgic about like MSN chat rooms, hearing my phone sing the internet song to the gateway, downloading Win32 viruses from Napster and Limewire, earning badges and posting angsty poetry on Bolt.com, but I think the main thing I miss is the openness and generosity of the web back then. These days, it feels like, if you’re fortunate, you have a series of walled gardens, and if you’re not, you’re facing a never-ending stream of racist/homophobic/transphobic content and intrusive adtech.

KC: You mentioned P2P malware, which is still a problem these days. How do you think online cybersecurity challenges are different now compared to back then?

LB: I think a major difference between then and now, if not the main difference, is money. Once we started being able to shop and bank online, users became a good target for scammers, extortionists and other organized crime groups. Not to mention the environment is now extremely different; a lot of people now have a lot of their lives stored in phones, tablets, and laptops, and some of those also end up connecting to corporate or industrial networks. For organizations, this means that just defining what your network perimeter is can sometimes be impossible.

As far as national security is concerned, the public at large has become much more aware of the scale of state-level activities on communication networks, much more than when the ECHELON disclosures happened, as far as I can tell. I think that has also led to something of a change in what people’s threat model looks like.

KC: Echelon! I knew someone who worked at Lawrence Livermore back in the day, apparently on that particular project.

LB: That’s awesome! I work with a lot of former IC and .mil people who I understand have probably been involved in a lot of things that would make for extremely interesting conversations, but alas, I’m not cleared.

KC: How has your penetration testing experience helped you with your blue teamwork?

LB: It’s a big help. Understanding the different kinds of techniques and tools used by adversaries to compromise accounts, intercept traffic or steal data means I have more of an ability to spot patterns or suspicious outliers in our sensor data. Likewise, seeing how blue teams operate makes me better at doing the offensive work or, at least, doing it in a way that’s less likely to get me caught! I’m increasingly a proponent of getting the red team and blue team members to trade sides occasionally or work together to have a better understanding of how the other side operates.

KC: Has sexism ever been a challenge in your career?

LB: Honestly, I don’t know. When I first started, I hadn’t transitioned yet, and so I was perceived as an (effeminate, not assertive) man, and so presumably I benefited from that when it came to getting my career started. At a previous employer, after transitioning, I was the only female penetration tester in the office, the only woman I knew of working in a technical role, and the only out queer person, and I started getting more complaints about my performance. I ultimately ended up leaving, and it definitely became harder to find work afterward, but then again, what I was looking for was pretty specific. I’m lucky enough to have been hired by a woman and be managed by a woman, in my current role, even though the team is still largely white cisgender straight men.

KC: Well, you’re not the first transgender woman I’ve interviewed in this series. I’m happy to see more transgender people in cybersecurity.

LB: I actually applied to the place I’m working at now because a good friend of mine, who’s also trans, worked there. It was an incredible privilege to go from this extremely homogenous environment to getting to work professionally in information security with another queer trans woman.

KC: Is there anything you miss about your pen testing days?

LB: I do miss the “let’s be evil” feeling, sometimes and the interaction with external clients from all kinds of different industries. My job now has maybe a little less variety, but I get to stick with projects longer, and being an investigator definitely makes up for not getting to pretend to be a criminal anymore!

KC: I have spoken to Defensive Security Handbook authors Ian Brotherston and Amanda Berlin, who believe that defensive security is underrated in our field. Do you agree?

LB: I think that offensive security gets a lot of the glamor, but penetration testing is really only a small piece of what keeps users safe. Blue team folks definitely don’t get nearly enough credit or support; offensive security people need to only find one problem, but defensive security practitioners can’t make a single mistake.

KC: Do you think a lot of organizations overlook defensive security?

LB: In my experience, a lot of organizations tend to maybe focus on the wrong things: or rather, they optimize for meeting regulatory requirements. Rules say they need a firewall and quarterly penetration tests, so they buy a firewall and contract the tests out. Security should be baked in everywhere; into the software development lifecycle, the monitoring and maintenance of the corporate network, training of new employees and continuous training of your existing staff and even how the organization interacts with suppliers. The line between ‘defensive information security’ and ‘physical security’ gets fuzzy, and I don’t know if many organizations prioritize either at sufficiently many levels of the stack.

KC: I’ve learned a lot from you. Do you have anything else you’d like to add before we go, Liz?

LB: I think it might be worth mentioning that machine learning is increasingly something people are exploring in both the defensive and offensive information security space, and in order to both defend against robot hackers and defeat Skynet, or build either, it helps to have that blended blue and red team exposure. Otherwise, thank you so much for your work here boosting not-male voices!

Healthcare tech is moving more and more toward mHealth solutions for consumer use. Apple in particular has made major expansions into healthcare and mHealth technologies over the past few years. Many patients are using wearables such as the Apple Watch to monitor, track, and report health care data. But with this new field of mHealth, security issues abound and there are still many grey areas surrounding who is legally responsible for protecting the privacy of patient data.

How Wearables Could Impact Your Business

In September, Apple made headlines with its newest version of the Apple Watch. CEO Tom Cook bragged about the watch’s fall detection capability, automatic workout tracking, and a heart sensor with ECG capability. With these advancements, Apple will continue to have a tremendous impact on the healthcare industry. In a recent CNBC interview, Cook said that the health-related work will be Apple’s “greatest contribution to mankind.”

Yet, there have already been HIPAA-related incidents stemming from multiple health tracking apps and wearables across the mHealth industry. In 2018, the popular fitness and nutrition tracking app MyFitnessPal experienced a breach, exposing the names, email addresses, and passwords of 150 million people. In addition, the fitness app Strava revealed the locations of U.S. military personnel on secret bases. According to Forbes, your electronic health records could be worth hundreds or thousands of dollars on the black market, which makes the Apple Watch and mHealth technologies like it prime targets for security breaches.

And of course, this affects health care professionals around the country. mHealth security vulnerabilities continue to pose a serious issue to patient privacy. And with these mHealth security and privacy concerns, HIPAA regulatory standards are in a grey area, especially where enforcement is concerned. Wearables like the Apple Watch expose privacy and security vulnerabilities for healthcare consumers, providers, and vendors working in the healthcare space alike.

Who’s Responsible for Wearable Data?

When it comes to HIPAA, covered entities must be compliant with the full extent of the regulation. A covered entity is any health care provider, health plan, or health care clearinghouse that uses protected health information (PHI) for the purpose of payment, treatment, or operations.

Under the HIPAA Privacy Rule, covered entities must implement the necessary safeguards to ensure that PHI is kept safe. PHI is any demographic information used to identify a patient. Some common examples of PHI include names, email addresses, addresses, and Social Security numbers, to name a few.

That means that if a doctor partners with wearable companies, and is using that biometric data over the course of care, then they are responsible for protecting patients’ PHI. However, the mHealth apps and wearable companies themselves are likely considered business associates under HIPAA. Business associates include any organization that handles PHI on behalf of another HIPAA-beholden entity. The liability in the event of a data breach concerning PHI collected by mHealth devices but used over the course of treatment for a patient presents a new challenge to HIPAA regulation.

However, changes to HIPAA regulation or HIPAA guidance in response to new and evolving technologies is not new. In 2009, the HITECH Act was passed, which made sweeping changes to HIPAA regulation in response to the rise of electronic health records (EHR) platforms and the increasingly digital shift across the healthcare industry.

HIPAA guidance regarding the use of mHealth tech, apps, and wearables will likely be addressed by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the years ahead. However, in the meantime, covered entities and business associates should guard against the potential for data loss, federal fines, and cyber-security risk by implementing an effective HIPAA compliance program to protect their business.

HIPAA Compliance Comes First!

As technology continues to develop, organizations within the healthcare industry will still need to comply with HIPAA regulations.

Compliancy Group gives healthcare professionals the tools they need to effectively address the full extent of HIPAA regulation. We give your organization confidence in your compliance with our proprietary achieve, illustrate, and maintain methodology, all housed in our cloud-based app, the Guard. The Guard allows users to address every element of what the law requires to give you peace of mind.

Users will also have help along the way. Our Compliance Coaches will walk you through every step of the process and ensure you have a complete understanding of HIPAA.

Compliancy Group is here to simplify compliance so you can confidently focus on your business. Find out how we can help!

A person recently asked me if it was possible to implement ISO 27001 using a specific project management software product. They used the tool in the past to define project plans and make project reviews. While I told them this is entirely possible, the truth is one can implement ISO 27001 even without a project plan or any specific tools. But should they?

ISO 27001 and Information Security in Project Management

The point is that many people do not treat the implementation of ISO 27001 as a project. What is worse, the majority see this security standard as just another document kit. They believe information security could be established just by making their employees scan a set of documents. Of course, this is an entirely incorrect concept of ISO 27001. To establish information security within an organization, we need to implement a set of specifically defined procedures.

This is also analogous to establishing information security within project management itself. While most think that ISO 27001 is merely a document or a project plan a manager needs to quickly scan before the project starts, this could not be further from the truth. What we actually need to do is clearly define a guide for the implementation of information security during the entirety of the project management life cycle.

Unfortunately, a lot of people find it difficult to understand what information security in project management entails. But the concept is fairly easy to grasp – protect information related to project management from an information security point of view.

How Can We Establish Information Security in Project Management?

To properly protect information around any project, we need to focus on securing the information that is essential to the management of a specific project (information related to the project itself, business, resources, personal data, etc).

Furthermore, it is extremely important to identify the classification of the information because its value is not always the same. For example, names and surnames are treated as public, while information on employee salaries is considered private.

But even though some information is considered public, we need to protect it regardless. The obvious reason is it could be modified without our permission. For example, an e-commerce website would see a significant decrease in revenue if one was to modify their public information by increasing product prices by $100.

Therefore, one important thing to focus on would be the identification of information in your project, i.e. defining the classification of information and considering that not all information should be treated equally. Now let us take a closer look at how ISO 27001 helps with establishing information security in project management.

Managing Projects in Accordance With ISO 27001

The most important aspect of ISO 27001 is risk management, which is a crucial point if you want to manage projects according to this information security standard. Annex A of ISO 27001 includes a specific control regarding risk management (“A.6.1.5 Information security in project management”) according to which you would need to define the following points:

Define information security objectives. Reduce the number of incidents and improve confidentiality of external access to the information, etc.

Perform risk assessment and risk treatment. For example, risks related to a source code in software development or risks related to the entire IT infrastructure of a company, etc.

Develop specific policies for information security of a project. If the project is related to software development, it might be wise to develop a policy related to writing software code in a secure way.

Benefits of Information Security in Project Management

Clearly, there are a lot of risks when it comes to establishing information security in project management. Although these could be hazardous to your project, the good news is you can easily avoid them. You just need to clearly define information security throughout the entire project life cycle. Risk management is the ultimate tool to pinpoint what you need to change in your project to avoid problems and execute it securely.

Some might wonder whether it was possible to execute a project without considering information security. Obviously, one can manage a project without establishing proper infosec, but there will be a much higher probability of failure.

From a professional viewpoint, and since information security should be of the highest importance to any project manager, the main benefit of secure project management is painstakingly clear: avoidance of any potential breaches of information security within a project.

Fortunately, ISO 27001 is specifically designed to establish proper information security while having a specific control regarding the treatment of information security in project management. Therefore, ISO 27001 can be an excellent tool for executing secure projects within your organization.

Bridging the Patient | Provider Divide

There is a growing divide between patients and providers over medical billing. While patient surveys repeatedly cite online accessibility and ease of billing as top concerns, most healthcare providers are not working to address those concerns.

A February article in BeckersHospitalReview found that upgrading digital payment tools was not a priority for most healthcare providers. A separate survey found that 79 percent of patients “consider the billing and payment experience” when choosing a healthcare provider.

StrongBox eSolution, based in Boca Raton, FL, is working to bridge the patient/provide divide by addressing the needs of patients while providing innovating solutions for providers through our cloud-based revenue cycle management software and patient financing solutions.

What Poll Results Tell Us About Patient Expectations

A recent report by Patientco surveyed more than 50 providers at large health systems that had morethan 350 beds and 200 patients on average. Here are their findings.

Nearly 80 percent of patients said they consider billing options when choosing their healthcare provider.

The vast majority (90.5 percent) of patient respondents said they prefer the option to pay their medical bills through installment payments.

Half of the patients reported affordability as a top concern while less than 13 percent of providers shared that concern.

The patients have spoken. Affordability and ease of access are top priorities for patients, even if those concerns aren’t always shared by providers. So how can your private practice, MSO, or medical/dental group begin to bridge the divide and benefit from a more efficient billing system? Simple. By using StrongBox eSolutions, our platform as a service offers two benefits that serve both your patients and your bottom line.

StrongBox eSolutions ServicesStrongBox creates a win-win for both providers and patients. Your patients will receive a streamlinedbilling and payment experience. We offer two financing options (Select and Pro) that will provide yourpatients with:

No hidden markups

Fixed-rate loans

No interest hikes for late payments

Access to top-tier lenders

Zero credit score impact

Fast lender response

Hassle-free applications

Fixed monthly payments

As a provider, you will receive an enhanced revenue profile and a lower risk profile. StrongBox efficiency creation helps create a better patient experience, which in turn leads to higher patientsatisfaction and higher patient retention.

You can view KPIs on a daily, weekly, monthly, and annual basis. Plus, we offer a 12-month revenuesnapshot that can be used to compare profitability with prior years. Any reports that are not built-in canbe added by using our software’s custom reporting tools.

Learn How StrongBox eSolutions Services Is Bridging the Patients/Provider Divide

Nearly 80 percent of patients consider billing options when choosing their healthcare provider. When patients are empowered to handle their own billing and financing, patient payment compliance rises and delinquent payments drop. Our online Patient Payment Portal is designed with this in mind.

By partnering with our online services, you will be sending the message that your business is listening and addressing those concerns. To learn more about our services, contact our team online or call our Boca Raton, FL office at (855) 468-7876.

A Revolutionary Approach to HIPAA Compliance

We all know that meeting the requirements set forth in the HIPAA compliance policy is mandatory for any healthcare, medical records, insurance, or other healthcare-related business. Securing individuals’ electronic protected health information (ePHI) is the most critical step to complying with HIPAA.

Yet this is often easier said than done, especially when you consider the high number of complex requirements that must be met in order to prove compliance.

The challenges of abiding by the “Security Rule”

For example, one of the most critical items on any HIPAA compliance checklist is meeting the Security Standards for the Protection of Electronic Health Information. Commonly referred to as the “Security Rule,” this requirement establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule addresses the technical and non-technical safeguards that organizations referred to “covered entities” must put in place to secure individuals’ ePHI. All covered entities must assess their security risks, even those entities who utilize certified electronic health record (EHR) technology. Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule, and document every security compliance measure.

Related: Sorry for the Inconvenience – The Breaches Just Keep Coming (and so do the Ramifications)

CSPi’s HIPAA compliance solutions

If all of this sounds intimidating, we have some good news: CSPi’s security solutions are uniquely suited to address the requirements specified in the Security Rule (and in turn, to help you stay HIPAA compliant).

Interested in learning more about CSPi, including how our innovative security tools are helping today’s healthcare leaders achieve compliance with HIPAA? Make your plans to visit with us at the upcoming HIMSS conference, or visit www.cspi.com, to learn more about our HIPAA compliance programs.

About CSPi

CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters. To learn more about how our cybersecurity products can help you with data privacy regulation compliance, check out our how-to guide, “Successfully Complying with Data Privacy Regulations.”

The well-established security firm Check Point recently ranked cryptomining as the leading cyber-threat in healthcare – ahead of ransomware. Cryptomining malware, also known as cryptocurrency mining malware, refers to software programs and malware components developed to take over a computer’s resources and use them for cryptocurrency mining, without a user’s authorization. This hijacking of computer resources can result in a shutdown and even total systems failure. Cryptomining is not specifically addressed by the HIPAA security rule. However, the threat of cryptomining malware should make covered entities and business associates evaluate their Security Rule compliance efforts, and, if necessary, implementing additional cybersecurity measures as needed to protect against this unique and powerful threat.

Under the HIPAA Security Rule, covered entities and business associates must implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI). Cryptomining malware can compromise this confidentiality, availability, and integrity. To understand the nature of the threat posed by cryptomining malware, it is useful to first understand some basic concepts.

These include cryptocurrency, cryptography, and cryptomining.

What is Cryptocurrency?

Cryptocurrency is digital money that can be purchased, transferred, and/or sold. Cryptocurrency exists solely on the Internet. This form of currency is not backed by anything tangible (such as gold), nor is it backed or managed by any bank or government. Cryptocurrency transactions, or trades, are changed and verified by a decentralized (not affiliated with anyone single entity) network of computers.

What is Cryptography?

Cryptography is a method of protecting information by encrypting it into an unreadable format known as ciphertext. Ciphertext can be converted to regular text through the process of decryption. Cryptography encrypts and protects the data used to help identify and track cryptocurrency transactions.

What is Cryptomining?

Cryptocurrency miners engage in cryptomining to earn more cryptocurrency (often referred to as “coins” or “Bitcoins”).

Here is how the mining process works:

Miners compete with other cryptominers to solve complicated mathematical problems. Solving the problems enables the miner to authorize a transaction and to chain together (blockchain) blocks of transactions. Once a transaction is included in a block, it is secure and complete.

For his or her mining activities, the miner receives a small amount of cryptocurrency of his or her own, The more currency a miner “mines,” the more currency a miner ends up owning. Cryptocurrency can then be sold for actual cash.

So, you may now be thinking, …..

“What Does Any of This Have to do with HIPAA Health Care?”

Crpyotmining malware is surreptitiously installed on a user’s computer. Once it is installed, the cryptomining malware turns the affected computer, in effect, into a mining operation – one through which the miners solve their math problems and “earn” their coins and cash.

Here’s the problem: Cryptomining has an enormous appetite for computer power. As the malware is enabling the mining, the mining process consumes significant computing power, bandwidth, and even electricity. Particularly persistent forms of malware consume resources even after a user has logged off.

Eventually, a device or a network may simply become unable to mining malware’s energy requirements, causing the device or network to crash.

Since any Internet-connected device can be infected with cryptomining malware, those devices used by covered entities or business associates that are missing essential security features – which features include, but are not limited to, antivirus software, firewalls, updates and patches for operating systems – can, upon a malware attack, shut down or experience total system failure. ePHI data thus becomes compromised. As in, lost, rendered inaccessible, or damaged beyond repair. The HIPAA Security rule thus becomes implicated, and, if an organization is found to have implemented ineffective security safeguards, the Department of Health and Human Services’ Office of Civil Rights (OCR) can audit and fine that organization.

Compliancy Group Simplifies HIPAA Compliance

Covered entities and business associates can address their HIPAA cybersecurity compliance obligations under the Security Rule by working with Compliancy Group.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA cybersecurity issues so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!

n 2017 alone there were more than 330 data breaches in the US medical and healthcare sector, which exposed 4.93 million patient records.

What’s more, data breaches in the healthcare sector are among the most costly with the average breach costing $408 per stolen record. In comparison, the global average of other industries across the world is $148 per record. The medical and healthcare industry in the United States is particularly vulnerable to data breaches. Here are a few reasons why:

Healthcare organizations store a high volume of patient records with valuable and private data

A lack of mobile security protocols with the BYOD (Bring Your Own Device) trend makes it easier for hackers to breach a network.

IoT medical devices and other popular technologies in the healthcare industry like multi-cloud IaaS or SaaS environments provide cybercriminals with more opportunities to hack into a network.

The healthcare industry is one of the lowest performing industries when it comes to endpoint security, and the sector as a whole ranks poorly in terms of cybersecurity strength compared to other major industries, making it an easier target for cybercriminals.

Chances are you don’t want to spend $50,000 or more in fines for a HIPAA violation, so it’s more critical than ever for you and your healthcare organization to implement the required cybersecurity protocols to ensure you’re protecting sensitive patient data from cybercriminals and hacks.

Here’s how you can improve your IT security and make sure you’re implementing healthcare security best practices.

1. Ensure All Employees are Properly Trained

One of the best ways to prevent the risk of data breaches is to make sure all employees and contractors receive the training they need to meet HIPAA requirements and keep data safe.

A proper employee training program will include factors such as:

Disaster Response

Fire Response (RACE) and Prevention

Workplace Violence Prevention and Response

VIP Security Control

EMTALA (Emergency Medical Treatment and Labor Act)

Command Center Operations

HIPAA Controls and Compliance

Training on The Joint Commission and other Accrediting Bodies

Crime Prevention

Safety Compliance

What’s more, your training program should go beyond initial training to provide frequent updates to your employees so they can stay on top of the latest trends and threats.

Download the Free HIPAA Regulation Checklist

2. Prioritize Real-Time Evaluation and Response

Want to save your organization thousands of dollars every year? A study by Ponemon Institute discovered that IT teams wasted 425 hours per week trying to solve false negatives and false positives. Healthcare organizations saved an average of $2.1 million yearly by implementing a system where IT teams were able to evaluate security posture in real time, patch all devices for known vulnerabilities, and proactively address emerging threats with data controls and/or patch distribution. This also increases your chances of preventing the risk of an expensive cyber-attack.

3. Leverage the Power of Automation

Since many healthcare organizations are decentralized, it can be more difficult to coordinate software patching and updates. To make sure software updates are fast but thorough, leverage the power of automation where possible to eliminate any vulnerabilities a cybercriminal might exploit.

4. Restrict Access When Needed

Even though employee training is critical, ensuring that your employees can only access sensitive or critical data on a need-to-know basis is another healthcare security best practice.

All data should be stored in a centralized location that is protected by a role-based access control system. Those with access should only see what they need to do their jobs and once the information is no longer required access should be removed automatically.

Moreover, technologies should be implemented to track and analyze data access as a way to spot suspicious activities.

5. Have a Disaster Recovery Plan in Place

To comply with HIPAA Security, you must have a disaster recovery plan in place and ways to recover and maintain ePHI (electronic Protected Health Information) in case of an emergency. That means you should be backing up all files regularly so data restoration can be quick and easy. A good rule of thumb is to back up your data both locally and remotely (ex: on a recovery disc as well as on a cloud-based server) and you should aim to store all backed-up information away from the main system whenever possible.

6. Encrypt All Data

Data encryption makes sensitive information unreadable, which makes it much harder for cybercriminals to gain access to that data even if a network is hacked or a mobile device is missing or stolen.

It’s also important to make sure that all data is encrypted not only when it is at rest (being stored) but also when it is in motion (ex: sending an email). This way sensitive information is protected at all times.

Since the healthcare industry is one of the most frequent targets for cybercriminals and one of the most expensive when it comes to addressing a data breach, it’s vital to implement these healthcare security best practices and stay on top of the latest trends in IT security. Help your organization avoid the risk of data breaches and costly fines and give yourself peace of mind knowing that all HIPAA requirements are being met and your patients can trust their sensitive information in your hands.

Following these tips will help keep your healthcare company safe and reduce the risk of expensive cybersecurity threats.

The HIPAA Administrative Simplification Rules establish national standards for electronic transactions and code sets to maintain the privacy and security of protected health information (PHI). These standards are often referred to as electronic data interchange or EDI standards.

HIPAA covered entities (which include health care providers, health plans, health care clearinghouses) and HIPAA business associates must adopt these standards for transactions that involve the electronic exchange of health care data. Such transactions may include claims and checking claim status. Other such transactions may involve encounter information, eligibility, enrollment and disenrollment, referrals, authorizations, premium payments, coordination of benefits, and payment and remittance advice.

Unique identifiers, such as a Health Plan Identifier, Employer Identification Number, or National Provider Identifier, are required for all HIPAA transactions.

Code sets are standard codes that all HIPAA covered entities must adopt. These codes have been developed for diagnoses, procedures, diagnostic tests, treatments, and equipment and supplies. HIPAA details several code sets including NDC national drug codes; CDT codes for dental procedures; CPT codes for procedures; the HCPCS health care common procedure coding system; and the code set for the international classification of diseases (ICD-10).

Updates to the HIPAA Administrative Simplification Rules

The HIPAA Administrative Simplification Rules were updated after the Affordable Care Act was passed in 2010 to include new operating rules specifying the information that must be included for all HIPAA transactions.

HIPAA covered entities must follow national standards, which were set to protect patients’ privacy (HIPAA Privacy Rule) and improve PHI security (HIPAA Security Rule), in addition to the HIPAA Administrative Simplification Rules. The Final Omnibus Rule, which was enacted in 2013, now includes HITECH Act standards in its HIPAA regulations; the standards added new requirements for breach notifications in the HIPAA Breach Notification Rule.

The HIPAA Administrative Simplification Regulations apply to all HIPAA covered entities and HIPAA business associates, not only those that work with Medicare or Medicaid.

Addressing the HIPAA Administrative Simplification Rules with Compliancy Group

Compliancy Group allows health care professionals and vendors across the industry to address the full extent of their HIPAA regulatory requirements, including HIPAA Administrative Simplification Rules, with our HIPAA compliance solution, The Guard. The Guard is a web-based HIPAA compliance app that allows users to confidently address their HIPAA compliance so they can get back to running their business.

The healthcare industry is one of the largest industries in the United States and potentially the most vulnerable. The healthcare sector is twice as likely to be the target of a cyberattack as other sectors, resulting in countless breaches and millions of compromised patients per year. Advancements in the techniques and technology of hackers and identity thieves could escalate these vulnerabilities into a major crisis if the healthcare industry doesn’t adapt.

Cybersecurity in Healthcare

In 2015, over 113 million patients in the healthcare industry were the victims of an information breach, resulting in lost patient revenue and identity theft. The high volume of cyberattacks on healthcare organizations may be an indicator; the average organization receives 32,000 cyberattacks on a daily basis, a much higher rate than other industries experience. A lack of cybersecurity infrastructure and the high value of personal information makes these organizations likely targets for cybercriminals.

The healthcare industry’s increasing reliance on electronic medical records and internet-connected medical devices means the problem of data breaches could increase in the coming years. In 2017, the estimated total losses from cyberattacks amounted to $1.2 billion, and this number is expected to grow as the attack surface of the healthcare industry increases. The same way consumers and patients have their own resources to protect against identity theft, healthcare organizations need their own systems in place to protect against cyber threats. The following list covers the biggest threats to the industry going forward.

1. DATA BREACHES

The healthcare industry has the highest rates of data breaches out of any sector. Of the 551 data breaches in 2017, 60% were in the healthcare industry. In some cases, hackers have broken into healthcare databases undetected and maintained access for weeks before they were discovered.

The most common types of data breaches are hacking and malware-based attacks. Hackers can sell healthcare data and medical records for over 100 times more than personal data from non-healthcare industries. But not all data breaches are cybersecurity-related; a data leak can also occur through an employee or a lost laptop.

To thwart data breaches, healthcare organizations should ensure that data is encrypted at every point between the patient and an organization’s data storage. Trainings for healthcare staff on data security can also help reduce the number of accidental disclosures.

2. RANSOMWARE

Ransomware attacks tripled in 2017, and the healthcare industry receives more of these attacks than any other industry. A ransomware virus disables a computer or server until a ransom is paid to the hacker. Hospitals use their IT systems for critical patient care, making ransomware potentially life-threatening if it causes a delay in critical care processes.

In 2016, a ransomware attack rendered the hospital network of Hollywood Presbyterian Medical Center inoperable until the administration paid out $17,000 to the attackers. An analysis of the attack showed that the hackers had gained access to an outdated server without using hospital staff as an entry point. Attacks like this demonstrate the importance of a two-part approach to cybersecurity that involves staff training and rigorous network security protocols.

3. SOCIAL ENGINEERING

Hackers looking to exploit a healthcare network’s security system often target hospital staff and other human victims in order to gain access. This type of attack happens through social engineering as a means of subverting even the most rigorous security systems. Phishing attacks, the most common social engineering approach, use a manipulative email to trick a victim into clicking a link or entering their password information. These emails will often download malicious software directly to the system, granting the attacker unlimited access.

Unlike other security threats, social engineering approaches can be combated only through education. Trainings for staff and administrators on identifying a phishing email and avoiding malicious links. Many organizations employ a strategy known as “red teaming,” where trained cybersecurity professionals play the role of attackers and test the organization’s preparedness.

4. DISTRIBUTED DENIAL OF SERVICE ATTACKS

Distributed denial of service (DDoS) attacks are purely disruptive and are a popular tactic for hacktivists who want to shut down a network out of protest, malice or anarchism. These attacks create a coordinated assault from several hundred to several thousand computers, which overwhelm a network or server to the point of inoperability.

In 2014, Boston Children’s Hospital was embroiled in a controversial custody case involving a 14-year-old patient. The sensitive nature of the case spurred the hacktivist group Anonymous to conduct a successful DDoS attack, which resulted in over $300,000 in damage and lost productivity over a one-week period. Healthcare is often connected closely with politics, and it’s likely that DDoS attacks could occur more frequently in the future. Protecting against these attacks requires close coordination with service providers to ensure that critical networks can remain operational under a DDoS onslaught.

5. INSIDER THREATS

A healthcare organization’s cybersecurity system is only as strong as its weakest link. Even the most rigorous cybersecurity network can be bypassed by an insider, making this type of attack one of the most difficult to prevent. Many disgruntled or criminally motivated employees have compromised healthcare organizations by installing entry points to a hospital’s network from the inside.

Insider threats aren’t necessarily malicious. The increasing number of personal devices in hospitals poses an additional insider threat to these organizations. Smartphones, tablets, and laptops are allowed at 81% of healthcare organizations, but only half of these organizations have plans in place to secure these devices. Personal devices are often unencrypted and may be carrying malicious viruses or “worms” that can compromise connected networks.

Cybersecurity is a constantly evolving field. Healthcare organizations must be ready to invest in ongoing security protocols to remain ahead of the most common attacks. Complete security might be impossible, but a reduction in service interruptions and lost data could help healthcare organizations exponentially going forward.

The healthcare industry is moving from products and services to solutions. Just a few years ago, medical institutions relied on special equipment and hardware to deliver evidence-based care. Today is the time of medical platforms, big data, and healthcare analytics. Healthcare institutions are focused on real-time results. The next decade will be focused on preventive care, and here new healthcare technology trends will come into play.

Artificial intelligence

The modern healthcare industry has already introduсed AI-based technologies like robotics and machine learning to the world. For example, IBM Watson is an AI-based system that’s making a difference in several areas of healthcare. The IBM Watson Care Manager was produced to enhance care management, accelerate drug discovery, match patients with clinical trials, and fulfill other tasks. Systems like this can help medical institutions save a big deal of time and money in the future.

It’s likely that in 2019 and beyond, AI will become even more advanced and will be able to carry out a wider range of tasks without human monitoring. Here are some predictions of AI trends in healthcare:

Early diagnosis

This healthcare technology trend can accurately and quickly process a lot more data than the human brain. So AI tools can reduce human errors in diagnosis and treatment and allow doctors to work with more patients. For example, image recognition technology will help to diagnose some diseases that cause changes to appearance (diabetes, optical deviations, and dermatological diseases). It’s also likely that in future people will be able to diagnose themselves. DIY medical diagnosis apps will probably ask some questions, process a patient’s care history, and then show possible diagnoses based on the current symptoms. But as this technology isn’t advanced yet, patients should be careful with DIY medical apps and self-medication.

Medical research and drug discovery

The future of drug discovery and medical research lies in deep learning technology. Deep learning is a field of machine learning that’s able to model the way neurons interact with each other in the brain. This allows medical systems to process large sets of data to quickly identify drug candidates with a high probability of success. A Pharma IQ report says that about 94 percent of pharma specialists believe that AI technologies will have a noticeable impact on drug discovery over the next two years. Even today, pharmaceutical giants such as Merck, Celgene, and GSK are working on drug discovery in collaboration with AI platforms, predicting AI to be the primary drug discovery tool in the future.

Better workflow management and accounting

There are a lot of routine and tiresome tasks that medical workers have to do apart from caring for patients. AI can reduce staff overload by automating monotonous tasks such as accounting, scheduling, managing electronic health records, and paperwork.

IoMT

The Internet of Medical Things (IoMT) includes various devices connected to each other via the internet. Nowadays, this technology trend in healthcare is used for remote monitoring of patients’ well-being by means of wearables. For example, ECG monitors, mobile apps, fitness trackers, and smart sensors can measure blood pressure, pulse, heart rate, glucose level, and more and set reminders for patients. One recently introduced IoMT wearable device, the Apple Watch Series 4, is able to measure heart rate, count calories burned, and even detect a fall and call emergency numbers. The FDA has recently approved a pill with sensors called Abilify MyCite that can digitally track if a patient has taken it.

IoMT technology is still evolving and is forecasted to reach about 30 billion devices worldwide by 2021 according to Frost & Sullivan.

IoMT will contribute sensors and systems in the healthcare industry to capture data and deliver it accurately.

IoMT technology can reduce the costs of healthcare solutions by allowing doctors to examine patients remotely.

For medical students with the University of Arizona College of Medicine – Tucson, weeks of suspense will end on March 15. Otherwise known as Match Day, it’s the day the students will learn where they will go for their residency training, in their chosen medical field, after they graduate from medical school in May.

Sarah Joy Ring, who has completed the College of Medicine – Tucson’s Rural Health Professions Program and a 16-week Rural Health Distinction Track, is hoping for a residency focused on both pediatrics and emergency medicine, potentially in a rural location. Her “capstone” paper, an in-depth research project that all Distinction Track students are expected to complete, carries the impressive title of “A Survey of Rural Emergency Medicine and the Discrepancy of Care for Pediatric Patients that Present to Rural Emergency Departments.”

During her training, she had opportunities to see how important telemedicine can be in rural communities.

“I was at sites that had telemedicine capabilities and spent some time chatting with the physicians about them. "I can specifically remember two experiences, one while on my family medicine rotation in Tuba City (in northern Arizona, where students learn about American Indian healthcare) and one during my RHPP summer in Flagstaff” (also in northern Arizona).

“Tuba City experiences a significant shortage of mental health providers in general, and specifically for children and adolescents," Sarah says.

“As such, they found using telemedicine helpful to connect the children of that region with services that they would otherwise struggle to receive, due to having to travel large distances to receive help, which incurs financial and time burdens for families.

“Moreover, a point that I found particularly enlightening when learning about this service, was with regard to what it means to live in a small population where it is quite likely you know most people living in the region," Sarah says.

“The physicians found that because of this, many adolescents experiencing difficulties often felt uncomfortable sharing with people who lived in the region, out of fear that they may tell someone, or that they were themselves a relative or family friend, which can be a common experience. Having someone to share with who lived out of the region and was not specifically invested in the region and an integral member of the community made many of these adolescents more comfortable with disclosing their experiences.

“I also worked on writing about how telemedicine can be used to augment pediatric services in rural emergency departments for part of my "capstone" project and found some very positive results from multiple studies. For critically ill patients, one study found that in particular, telemedicine consults improved the access to critical care specialists, resulting in a reduced frequency of physician-related medication errors. Moreover, another study found that parent satisfaction was higher with telemedicine consults than with phone consults, which is a particularly important outcome when caring for pediatric patients and their family. Many of these same findings also translated to the pre-hospital environment, where ambulances that utilized telemedicine resulted in better assessments, more interventions in the pre-hospital environment, and improved outcomes for pediatric patients in pre-hospital care.

“Overall," Sarah says, I think that we will continue to find that telemedicine is an excellent resource for rural providers that allows patients to have clinically significant access to additional resources and care that would otherwise be difficult or unavailable to the region."

Ten Cisco IP Phone Options for Your Sales Team

1) The Cisco 8865. Sales organizations seeking the latest in cutting-edge HD video communications will find the 8865 to their liking. Designed to function flawlessly in shared work environments, the 8865 offers a comprehensive collection of VoIP features. Key characteristics of 8865 include the following:

A 5-inch widescreen VGA color display

High-quality 720p two-way HD video for a superb visual experience

Superb video and VoIP clarity

An optional key expansion module that facilitates dialing

Flexible deployment options

Additionally, the 8865 is compatible with a variety of USB headsets, including models made by third-party vendors. This advantage enables companies with offshore call centers to easily and affordably replace headsets through local suppliers.

2) The Cisco 8845. The 8845 was designed for optimum user productivity. In addition to offering basic calling features such as transfer, conference, and hold/resume, the 8845 allows sales reps to employ its multi-call-per-line feature to handle multiple calls for each directory number. The most pertinent features for sales and customer service agents are as follows:

A 5-inch high-resolution widescreen backlit color display

High-quality 720p two-way HD video

Five programmable lines

Outstanding audio acoustics

One-touch access to applications

In addition to these key features, the 8845 is known for its integrated digital camera and outstanding encryption of voice and video communications.

3) The Cisco 7945G. Like 8845, the Cisco 7945G possesses an adaptable, dynamic design that facilitates organizational growth. Regular, unobtrusive software updates help to ensure that sales and customer service representatives maintain a competitive edge in efficiency and productivity. Key characteristics of the 7945G include the following:

The 7945G is also known for its integrated support for over 30 languages, making it an excellent choice for organizations with employees in multiple countries.

4) The Cisco SPA303G. The SPA303G IP phone was constructed with utility and affordability in mind. It is the perfect option for organizations that do not require a large color display or other sophisticated features present on recently designed IP phones. Key characteristics of the SPA303G include the following:

A backlit monochrome LCD screen (128 x 64 pixels)

Three voice lines

Caller ID

A menu-operated user interface

Automatic redial of the most recent number called

Two final points to consider are the SPA303G’s simple installation process and secure remote provisioning tools. Software upgrades are easy to make and do not interfere with regular business, giving sales and customer service managers peace of mind.

5) The Cisco SPA504G. The SPA504G IP phone possesses the same robust collection of features as the 303G. However, the SPA504G also includes an additional voice line, Power over Ethernet (PoE) support, and other upgrades that make it a more attractive option for sales professionals who field a lot of calls. Key characteristics of the SPA504G include the following:

6) The Cisco SPA514G. With its dual gigabit ethernet switched ports and secure remote provisioning, the SPA514G is a logical choice for call centers with single or multiple locations. Key specifications include:

A backlit monochrome LCD screen (128 x 64 pixels)

Four voice lines

Supports Power over Ethernet (PoE)

A menu-operated user interface

Automatic redial of the most recent number called

Like other models in Cisco’s SPA line, the SPA514G is known for its ease of installation and simple station moves, making it a favorite among sales managers and IT staff alike.

7) The Cisco 7940G. Designed with the needs of transaction-type employees in mind, the Cisco 7940G is a model for call center managers to consider. Additional benefits for call center agents include categorization of incoming messages for users and customizable network configuration preferences. The 7940G boasts a robust collection of capabilities, including the following:

The ability for hands-free changes, facilitating moves to any new network location without system administration

The availability of a variety of user accessibility methods, including soft keys, buttons, or direct access

More than 24 unique ringer sounds and volume settings

A dedicated headset port that allows the handset to remain in its cradle

Easy access to a variety of information, including stock market updates, weather, and other web-based news

In addition to these advantages, the 7940G features an ADA-compliant dial pad and HAC handset, facilitating compliance with industry regulations. The 7940G also has a foot stand that can be adjusted up to 60 degrees for optimum viewing and comfort.

8) Cisco 7912G. The 7912G offers outstanding value to companies facing tight budgetary constraints. A snapshot of the basic features of the 7912G is as follows:

Single voice line support

A monochrome, pixel-based display that displays the caller’s name and number

Call forwarding and call waiting

On-hook dialing

Four speed-dials

Because the 7912G is an older model phone, it is no longer available for purchase directly through Cisco, but may be purchased through online resellers.

9) The Cisco CP-8831-K9. The CP-8831-K9 is distinct from the other Cisco phones on this list because it is designed specifically for conference calls. The CP-8831-K9 provides an acoustically pleasing experience for a large group of sales representatives and call center agents. Boasting the following five strengths, the CP-8831-K9 is particularly beneficial to companies that regularly hold audio conference calls with customer groups or vendors:

High-definition audio performance

360-degree coverage

Scalability to optimize conference calls in rooms and offices of every size

Flexibility and convenience through a mobile control panel

Expandability through the use of wired or wireless extension microphones

The CP-8831-K9 also includes a number of subtly impressive features such as echo suppression, noise reduction, and silence suppression. The inclusion of these premium features makes the CP-8831-K9 an excellent choice for sales organizations that require a dependable conference phone.

10) The Cisco 8800 Key Module. While this module is not a telephone in and of itself, it deserves inclusion in this list because of its progressive ability to transform Cisco’s 8851, 8861, and 8865 telephones. In addition to greatly enhancing productivity for phone users, the 8800 key module offers busy sales representatives one-button access to the colleagues with whom they communicate with the greatest frequency. Notable features of the 8800 key module include the following:

18 programmable LED lines per module

A backlit, high-resolution 4.3-inch color display for easy viewing

Users can choose between Power over Ethernet (PoE) or a local power cube

A power save plus option to help companies save money and conserve energy.

For 15 years, I was a home hospice nurse who went out on emergency nighttime visits to patients who were experiencing symptoms that terrified their family. The travel distance added to the anxiety and suffering of family and patients. I always thought that just because a family chooses to live in a rural area, they should not have to accept suffering as “the price they have to pay.”

Since then, I have focused on enabling the provision of healthcare services to patients who choose to live in the beauty of a rural environment. Using telehealth technology to rapidly view, assess and improve a patient’s situation has been foremost in my program of research.

I know I do not have to describe the explosion of telehealth during the last 15 years to readers of this blog. In my telehealth experience, I have gone from home hospice organizations, thinking that I was suggesting a cold and unfeeling method of providing end-of-life care, to a Global University interest in me sharing my telehealth expertise as an international Fulbright Specialist.

In December 2018, I was invited to spend 10 days at the Universidad Mayor (UM) in Chile, South America. The purpose of my visit was to investigate the use of simulation to teach telehealth at the university’s science campuses. The UM is a private university with 11 campuses in Santiago and one in Temuco. Despite the fact that UM was founded in 1988, only 30 years ago, there are currently 20,000 students enrolled in seven academic programs. It was clear to me that the reason behind the rapid, yet well-planned, expansion is the attention given to providing students with an education for the future, especially in the areas of healthcare. The Universidad is intentional and does not let time waste!

Thanks to a combined effort between UM administrators and Arizona Telemedicine Program initiatives, by January 6, 2019, I was in Santiago. Chile is a very long country, stretching 2,670 miles but only 217 miles at its widest point. The entire country covers almost 300,000 square miles. Forty-one percent of the population lives in three large cities, resulting in 10 million people living in rural areas.

I visited two campuses – Alameda and Huechuraba – in Santiago, Chile’s capital, during my first five days in the country. Both campuses have state-of-the-art simulation mannequins for training. At the Alameda Campus, I observed healthcare simulation training for dental surgery and odontology, the scientific study of the structure and diseases of teeth. At the Huechuraba campus, I observed medical, nursing and obstetric students all learning together, using the simulation mannequin to give birth as the focus for their collaboration.

My research program examines human factors that improve the use of telehealth. Effective communication is a critical variable. The technology can be of the best quality possible, but if the communication between the sender and the receiver is not effective, the outcome will not be optimal. With each new technology addition to our healthcare system, we should expect improvement, not merely substitution for existing processes.

Using the “seven Cs” of effective communication: being courteous, clear, correct, complete, concrete, concise, and considerate, contribute to teaching skills when in person. However, when instructing remotely, due to limitations of other senses -- smell, 360-degree visualization, and touch – verbal attention to “the seven C’s” of effective communication becomes critical. Simulation is a great way to allow healthcare providers to learn skills without risk to the patient. This exciting collaboration with the forward-thinking Universidad Mayor will utilize existing simulation technology to teach healthcare providers of the future how to communicate effectively.

In order to reach a 93% chance of converting a lead, it takes an agent about 6 attempts; meanwhile, 10 to 15 are the number of 2-minute calls one has to make within the span of an hour; and, on an average, a sales agent needs to keep in touch with a clientele consisting of 2 large accounts, 6 medium accounts, and 50 small accounts to reach his or her monthly quota. Are your current modes of communication able to help you meet these numbers on the daily? If you answered “no,” then it’s about time that you get a grip, and take control of your business phone systems.

Imagine starting your career in sales sometime before the ’80s, when modern technological advancements didn’t exist; a time when going through the previously mentioned statistics meant doing it with an early version of a landline device. Luckily, today’s set of experts has given grave importance to the development of both software and hardware in easing the flow of communications. A more resilient, advanced, dependable, and cost-effective version of previous corporate communication tools, is this new breed of phone systems. But despite its seemingly pristine facade, these modern upgrades are still prone to issues. It is important for organizations to be aware of these possible circumstances, in order to effectively manage their phone systems, and have it fully optimized for the efficiency of operations.

Always One Step Ahead

Defying the forthcoming is probably not the wisest way to go about any internal issue. When dealing with something as vital as phone systems, it always pays to address the issue head on. Whether it is for internal communications or other communication functions, these pieces of technology are constantly being used. With this frequency of its usage, it does not matter how careful you are while using it. The daily wear and tear these phone systems go through make them very much prone to certain system problems. Giving yourself enough lead-time to adjust to eventual system troubleshooting requires that you know what is there to prepare for.

An upgrade in their system’s hardware is the primary problem faced by most companies. Yes, just like your smart phones, your business phones get obsolete too. Every year brings to the table a different challenge for developers to battle. And as time passes, the once top-of-the-line equipment that furnished your agents’ desks will see the end of its glory days. Newer systems are introduced to the market each year; and all of them cater to a company’s need to cater to the growing list of demands from clients.

Living with a mental illness can be isolating and difficult. The long-standing stigma connected with mental illness, along with limited treatment accessibility, patients’ fear of the potential repercussions of family, friends, and employers finding out about their condition, have kept many individuals from seeking the support they need. Fortunately, these trends are starting to shift in a more positive direction.

Although some stigma and shame still surround such illnesses as depression, anxiety, OCD, and bipolar disorder, people are beginning to feel more comfortable about sharing their own strugglesand finding support from others online. Telehealth and an interconnected world are coming together to end stigma, and help people manage their mental health in a more effective way.

Perspectives About Behavioral Health Problems Are Improving

Technology has helped us to connect with one another in many positive ways, but this interconnectivity has been a double-edged sword for mental health. Social media and smartphones have led to a 24/7 lifestyle that can exacerbate or even create mental health issues. With that said, technology has also opened up a dialogue that is beginning to change the conversation and do away with the stigma surrounding mental illness.

Thanks to those who have shared their experiences online, more people are beginning to realize that mental illness is quite common. Ultimately, this change should mean that more people feel comfortable seeking treatment so they can live a healthy, more productive life.

Services Are Becoming More Accessible

Limited access to treatment has always been an obstacle for people seeking mental health services. Finding a therapist locally can be a challenge, because many mental health professionals may not accept some forms of insurance, or do not treat a patient’s needs. A 2017 Milliman report illustrated the shortage of mental health professionals nationwide, with only 8.9 psychiatrists for every 100,000 people, which leads to many people seeking treatment while waiting months to get help.

The American Psychiatric Association fully supports telepsychiatry, now that telehealth has shown it can improve accessibility and enable patients to get the help they need without the struggle. Patients and professionals have found that therapy sessions via video chat and other remote services are as good as “face to face” sessions. Telehealth support is also key for patients with mental health needs; they can consult with a specialist without having to travel.

Telehealth is increasingly being utilized in emergency situations. Patients who are experiencing a mental health emergency can reach out to professionals 24/7 and receive remote monitoring when necessary. This helps to allow patients to maintain their independence while ensuring they have the support they need.

More Specialists Are Needed to Pave the Way Toward Change

Now that more people are opening up about their mental health challenges, many others are becoming inspired to take charge of their own mental health. That’s creating an unprecedented demand for behavioral health services in both traditional models and telemedicine. While this signals a positive cultural shift, the healthcare system is not prepared for this growing influx of new patients.

There are many mental health resources available to help people cope with common mental illnesses, but what is needed long-term is more mental health specialists. To ensure that every American has access to high-quality behavioral healthcare, we need more people to enter this growing field. According to some estimates, 70,000 mental health specialists in several disciplines will be necessary to meet demand by 2025.

The good news? Healthcare organizations are increasingly adapting to new trends to meet patients’ needs. Thanks to new same-day programs and mental health professionals at primary care facilities, patients can now get help in as little as 30 minutes.

Should You Pursue a Career in Behavioral Health?

A career in mental health is a great option for people who are committed to helping others. While becoming a behavioral health professional takes time and extensive education, it can be a satisfying career, and specializing in telemedicine is a great way to help solve the shortage of qualified professionals.

If anything, this seems like a needless question – especially for start-ups. A CRM and phone system is an advantage. If you’re a start-up, it is what you want on your side.

Just consider these numbers. According to Nucleus Research, when you invest a dollar in CRM, you get an average of $8.71 back. Plus, for each salesperson using CRM, you can increase your revenue by 41%.

So, even if your sales team is made up of only two or so people – or if it’s just you – a reliable CRM for small business is what you need to forge ahead and catch up with your competitors.

Still need convincing? Well, consider these signs that you need to set up a CRM and phone system for your business:

You fail to follow-up and eventually lose leads and opportunities.

You don’t remember where to pick things up with a prospect you previously called.

You feel like you have an unmanageable number of prospects – you can no longer keep track.

You start receiving negative feedback from your customers.

Advantages of CRM for Small Business

Get your start-up off the ground. Make the most of CRM for small business and enjoy advantages that improve your customer/prospect’s experience and your sales team’s efficiency and effectiveness. A comprehensive and reliable CRM makes a world of difference for your business so don’t miss out.

Information When You Need ItThe right information, used at the right time, can get you a step closer to sealing the deal. It can also bridge communication gaps and make the overall client experience a little better.

The data that you have on your prospect or client comes into play at all stages of your sales cycle. Through CRM’s pop-up interface, you know a person’s location and call history even during the initial point of contact. It comes in handy when following up. You know what you’ve previously talked about. You have information that helps you personalize the conversation.

You might say that the non-techie approach here is to have a notebook prepared or perhaps use sticky notes as reminder. But can you imagine the amount of information you need to keep organized with just five prospects in a month? Without CRM, it won’t be long before you lose track of things and opportunities fall through the cracks.

Enhanced CommunicationCRM helps you stay on top of your conversations with your prospects and clients. You get information that helps you personalize phone calls and presentations. You can also automate follow-ups according to user actions, schedules and events. And, when you do call to follow up, you know where exactly to pick things up from.

Better ServiceAccording to the Global Customer Service Study, three out of four customers are willing to pay more for a better customer experience. And, the best way to guarantee better customer service and experience is through CRM for small business.

Key here is to remember that what you have with your clients – and what you want to have with your prospects – is a relationship. You need to be up to speed on previous conversations, call and purchase history, issues and resolutions and more.

The human memory is limited. You need CRM for small business to stay on top of your prospect/ client engagements.

Task AutomationImportant tasks, such as follow-ups and lead scoring, can be automated through CRM. This keeps you and your small team focused on more crucial matters, such as making sales calls and customizing sales presentations, among others.

Better Team CoordinationYou are not going to be around 24/7 to deal with your prospects and clients. Somewhere along the line, your team steps in to help out. With CRM for small business, access to your contacts’ information is available to everyone, anywhere. You can lessen your lead leakage by being consistently available to your prospects and clients.

Improved Data Analyses and ReportingIn time, you would have amassed a good amount of data from your leads and clients. Understand this data and use it to assess where you are as a business, what markets you’re missing out on and key performance analytics that need improvement. A good CRM system provides you with reporting and data analyses that push you to improve and move forward as a business.

Why Should You Get CRM For Small Business Today

Regardless of your business size, you need a reliable CRM system. But why get one now?

Look at it this way: prospects and customers are at the core of a successful business. When you implement a CRM system at your start-up stage, you are making this focus clear.

What’s great about the CRM options that you have now is their scalability. You can get cloud-based CRM services, such as Salesforce, with the exact features, number of users and capacity that you need. Should you require more, you can add at any time.

You are organized right away and your customers will know this. You are able to manage leads, quotes and invoicing professionally. You can issue information, such as receivables, paid invoices and more, ASAP as required by your clients.

As such, you won’t have to worry about migration costs. What you used at limited capacity can easily be extended to suit bigger requirements. And, you will always have the latest version. Upgrades for cloud-based CRM come with the service, which is another thing you won’t have to worry about.

Information security risk management is a wide topic, with many notions, processes, and technologies that are often confused with each other.

Very often technical solutions (cybersecurity products) are presented as “risk management” solutions without process-related context.

Modern cybersecurity risk management is not possible without technical solutions, but these solutions alone, when not put in the context of correct risk management processes (and in the context of information-related processes) of an organization might not be enough to properly manage risks of information processing or might even cause a false sense of security.

In this new series of articles, I will explain some basic notions related to risk management, introduce and describe the phases of cyclic high-level process risk management, give more details on each of the phases and introduce the NIST and ISO standards related to risk management.

In this article, I will review the definition of risk, goals of risk management and list the main NIST and ISO standards related to information security risk management.

Cybersecurity risk management vs information security risk management

First of all, let’s discuss shortly the difference between “cybersecurity risk management” and “information security risk management”. Before “cybersecurity” became a buzzword, professionals dealing with information security used only “information security” and “IT security” notions.

Obviously “information security” is a wider term. It concerns the security of information, stored, processed or transmitted in any form (including paper). Information security also concerns people, processes, legal/regulatory matters and insurance. (Yes, insurance is also a way to reduce risk – by transferring it – and is thus a security measure.)

“IT security” is a term concerning “IT”, that is Information Technology. So it concerns information processed in IT systems. Sometimes these notions (“information security” and “IT security”) were used (and still are used!) interchangeably, but formally this is wrong because IT system is a part of information processing system.

“Cybersecurity” is a nice buzzword of recent years. Almost everything is “cyber” these days. Unfortunately this word has different meanings, depending on who uses it. The “cyber” part of this word suggests it concerns technology, so in my private opinion this word, “cybersecurity” is a younger brother of “IT security” (or, to be more precise, a younger clone ). What is wrong with this word in my opinion is that it is often used to describe (or in) high-level documents like policies or process descriptions that have nothing to do with lower-level technology. But this is the trend we cannot change – the “cybersecurity everything” approach has been present in information/IT security world for some time already and it is doing very well. So we have to adapt and adjust.

But at the same time we have to be very careful when using the word “cybersecurity” (do we really mean what we are saying?) and also when reading it (what does this word really mean in the context of other information it is “served” with?).

The goal of information security risk management

The main goal of information security risk management is to continuously address the risks to information processed by an organization. These risks are to be addressed according to the organization’s risk management policy.

The information security risk management is a part of general risk management of an organization, so it should be aligned with general, high-level risk management policy.

The realization of the above-mentioned goal of information security is dependent on the following elements:

the information security risk management methodology;

the information security risk management policy and procedures;

the information security risk management process;

the information security risk management stakeholders.

I will be addressing all these in next articles in this series.

NIST and ISO standards

There are important (and practically applicable) NIST guidelines and ISO standards available on information security risk management.

The main high-level ISO standard on risk management is ISO 31000 (namely ISO 31000:2009: “Risk management — Principles and guidelines”; it is currently under review).

(It belongs to the same line of ISO standards as ISO 27000 line of standards, which I touched in my previous series of articles in Komunity.)

ISO 3100 introduces the risk management cycle that is applicable to (and should be used for) information security management, independent of risk analysis methodology used. I will use this cycle to introduce information security risk management process.

But before that, let me mention also other standards and guidelines on information security risk management:

I will come back to these standards after I describe the risk management cycle and its elements.

Risk definition

Let’s touch on another subject that is important and sometimes misunderstood – the notion of risk itself.

In common language, we often mix up all notions related to risk management: the risk itself, vulnerability, threat etc. We can’t do that if we want to run the risk management properly. It is not only the matter of notion mix-up. These notions are used in any risk analysis methodology and shouldn’t be mixed up, otherwise one will not be able to perform risk analysis correctly or understand and implement its results into the risk management process cycle.

ISO 31000 defines risk as “effect of uncertainty on objectives” (please remember that this standard is a high-level standard). This effect can be positive or negative, which means that in terms of this standard (and other risk-related standards, as you will see) risk is neutral. This, as can easily be seen, is not consistent with the common language, in which risk is almost always a negative notion.

I’ll come back to this definition and to the definitions o terms that are related to risk notion: vulnerability, threat etc.

Sharing your scoops to your social media accounts is a must to distribute your curated content. Not only will it drive traffic and leads through your content, but it will help show your expertise with your followers.

Integrating your curated content to your website or blog will allow you to increase your website visitors’ engagement, boost SEO and acquire new visitors. By redirecting your social media traffic to your website, Scoop.it will also help you generate more qualified traffic and leads from your curation work.

Distributing your curated content through a newsletter is a great way to nurture and engage your email subscribers will developing your traffic and visibility.
Creating engaging newsletters with your curated content is really easy.